1. Network Intrusion Detection System (NIDS)
2. Packet Sniffer
3. Packet Logger - logs using TCPDump format
Tasks:
1. Download and install Snort NIDS
a. snort.org
b. Confirm MD5SUM: 'md5sum snort-2.8.0.2.tar.gz' Compare to snort-2.8.0.2.tar.gz.md5
c. Import GPG key used to sign the current release of Snort
d. gpg --verify snort-2.8.0.2.tar.gz.sig snort-2.8.0.2.tar.gz
Requirements:
1. gcc - C compiler
2. make - creates binaries
3. libpcre - Provides access to Perl Compatible RegExes
4. mysql-devel* - provides access to MySQL
5. libpcap* - provides the TCPDump, packet capture library
e. Extract and install (compile) Snort NIDS
e1. tar -xzvf snort-2.8.0.2.tar.gz - creates top-level directory
e2. ./configure --with-mysql --enable-dynamicplugin - checks for prerequisites, including: mysql-devel, libpcre, gcc, make, etc.
e3. make - creates binaries
e4. su (as 'root') and execute 'make install' - places binaries in /usr/local/ accessible location
Usage - Packet Sniffer:
1. snort -v -i eth0 - reveals layers 3 & 4 of the OSI model
2. snort -vde -i eth0 - reveals layers 2-7
3. snort -vde -i eth0 tcp port 23
Usage - Packet Logger:
1. snort -v -i eth0 -l ./ tcp port 23 - logs binary file in current directory with Unix Epoch suffix
2. snort -b -i eth0 - attempts to log in: /var/log/snort
3. snort -b -L test.snort.log -i eth0 - creates: /var/log/snort/test.snort.log.UnixEpochDate
Note: Snort drops less packets when run in binary logging mode than in verbose, dump-to-screen, mode
No comments:
Post a Comment